Password protection is a popular authentication method for many computer and network resources. However, due to security concerns, users are often forced to change their passwords. This can result in a user forgetting his/her current password and calling a system administrator to reset the password. Password resets consume a large percentage of a system administrator's time.
Self-service password reset systems can alleviate pressure on a system administrator by allowing users to reset their passwords themselves. A user who desires to reset a password may be asked to authenticate himself in some manner. For example, a user may be asked to provide the user's mother's maiden name or provide some other piece of personal information that the user has previously registered with the system. If the user passes the authentication test, the user is permitted to reset his/her password and use it to access the resource. The user's rights to information or access within the resource may then be controlled via a permission setting associated with the user.
It is disadvantageous, however, for self-service password reset systems to require the same level of authentication from all users. Often, there is a wide variety among permission settings for users within the resource. Accordingly, the security risk for unauthorized access to a user's password may be user-specific. For example, a CEO may be provided access to all corporate network files, while a part-time employee may be provided with very little access. As such, an administrator that requires a stringent password-reset test potentially sacrifices usability for the majority of users in favor of protecting the passwords of the users (e.g., the CEO) with the greatest privileges to protected areas within the resource. A less stringent test potentially sacrifices security in favor of usability.